These three Samsung Galaxy phones had vulnerabilities exploited by an attacker
According to a blog post from Google Project Zero (via TechCrunch), a trio of zero-day vulnerabilities in some newer Samsung Galaxy phones was being exploited by a commercial surveillance vendor. These companies could be telecom or tech firms tracking their customers for the purpose of monetizing personal data by sending custom advertising. Or it could be more sinister (more on this below).
Certain Samsung Galaxy handsets using the homegrown Exynos chipset had these vulnerabilities
According to the Federal Trade Commission, such companies engage in the "collection, aggregation, analysis, retention, transfer, or monetization of consumer data and the direct derivatives of that information." And besides harming consumers with these actions, the FTC is looking to collect information showing that these actions lead to psychological harm, damage to reputations, and unwanted intrusions that take place with the collection of this personal data.
One of the phones exploited was the Samsung Galaxy S10
But this specific situation could be more serious. While Google didn't name a specific commercial surveillance vendor, it did say that the pattern resembles a previous exploitation that delivered "powerful nation-state spyware" via a malicious Android app. The vulnerabilities found in Samsung's custom-built software were part of an exploit chain that would allow the attacker to obtain kernel read and write privileges which could eventually reveal personal data on the phone.
The exploit targets Samsung Galaxy handsets powered by an Exynos SoC using kernel 4.14.113. Phones matching that description include the Samsung Galaxy S10, Galaxy A50, and the Galaxy A51. Versions of those phones sold in the U.S. and China are equipped with a Qualcomm Snapdragon chipset while in most other continents like Europe and Africa, the Exynos SoC is used. Google says that the exploit "relies on both the Mali GPU driver and the DPU driver which are specific to the Exynos Samsung phones."
The problems would start when a user was tricked into sideloading an app on his phone. Sideloading in this case means downloading an app from a third-party Android app store that is not the Google Play Store. Google did report to Samsung about the vulnerabilities in 2020 and while Sammy did send out a patch in March 2021, the company failed to mention that the vulnerabilities were being actively exploited.
Google's Maddie Stone, who wrote the blog post, says, "The analysis of this exploit chain has provided us with new and important insights into how attackers are targeting Android devices. Stone also pointed out that with more research, new vulnerabilities could be discovered in custom software used on Android devices by phone manufacturers like Samsung. Stone added, "It highlights a need for more research into manufacturer specific components. It shows where we ought to do further variant analysis."
Use the comments section on the Play Store or a third-party Android app store to look for red flags
Moving forward, Samsung has agreed to reveal when its vulnerabilities are actively being exploited joining Apple and Google. The latter two manufacturers already alert users when such an event is taking place.
Back in June, we told you about spyware called Hermit that was used by governments on victims targeted in Italy and Kazakhstan. Similar to the security issue found on the three Exynos-powered Galaxy phones, Hermit required that a user sideload a malicious app. Eventually, this malware would steal the contacts, location data, photos, videos, and audio recordings from the victim's handset.
One quick and dirty rule that might still work these days is to give the comments section a good look before installing an app from a developer you've never heard of before. If any red flags show up, quickly run away from that app's listing and never look back. Another great piece of advice is not to sideload any app. Yes, malware-laced apps somehow get through Google Play security too many times but you're probably still less likely to get "infected" by sticking to loading apps from the Play Store.
Things that are NOT allowed: